In April 2014, the Court of Justice of the European Union (CJEU) declared invalid the Data Retention Directive that unified the time frame of the retention of selective data by Internet and telephone services and determined the accessibility of data by authorities in the member states. Despite the annulment of the directive, the Hungarian act allowing data retention is still in force. The Hungarian Civil Liberties Union (HCLU) now starts litigation against two major service providers in order to force the Hungarian Constitutional Court (CC) to repeal the unlawful act.
The Hungarian Act on Electronic Communications establishes that providers must retain telephone and Internet communications traffic data for six months. It is important to know that this rule concerns "only" the time frame of data retention, caller identity, caller location, the frequency of communications and other data of this kind but not the contents of communications. However, such data allows for drawing accurate conclusions regarding the private lives, everyday habits, travel patterns and social environment of concerned persons, even without knowing the contents of communications. Therefore, data retention of this kind constitutes a serious intervention into the private sphere of concerned persons as well as an infringement of fundamental rights related to the protection of personal data.
In both European and national law, data retention is sought to be justified by the need to prosecute serious crimes and the fight against terrorism. At the same time, in accordance with the ruling of the Court of Justice of the EU, the Hungarian act defining the rules of data protection is not compatible with Hungarian constitutional requirements, either, for breaching the limits of the proportionality criteria. One of the most important arguments in this vein is that everyone's data are retained, independently from whether they relate to any serious crimes or terrorist actions.
Due to the reform of the Hungarian law and, specifically, the jurisdiction of the Constitutional Court, HCLU cannot directly refer to the CC to establish that the legislation on the obligation of data protection is against the Fundamental Law of Hungary. Instead, it has to initiate a long process consisting in the following steps:
1. HCLU requests in writing the Internet or telephone service providers to eliminate any retained traffic data
2. the service provider refuses this request based on the current Hungarian legislation
3. HCLU brings court action against service providers concerning the elimination of data
4. during the trial, HCLU requests the judge to directly refer to the CC: a positive aspect of this move is that it can take place already during the first instance proceedings, and the CC has to decide upon the claim within strict deadlines (with urgency and no later than in 90 days)
5. should the judge refuse doing so, given the current Hungarian legislation, HCLU would certainly lose at trial and data would remain intact
6. an appeal would be submitted, and HCLU would lose at second instance, too
7. HCLU submits a revision request at the Curia, and only when this procedure ends...
8. ...will it finally be able to refer to the CC.
The whole process may take as long as two or three years, from sending the first letter to submitting an application at the Constitutional Court, which is not tied by any deadlines in case of a constitutional complaint. It can be assumed that, in the meantime, new EU legislation will be passed on the matter, which may be a regulation as opposed to a directive, providing for uniform rules across member states, so that the Hungarian act will have to be repealed. However, HCLU is not willing to just wait for this development.
The role of service providers is not obvious. It is because of the need to refer the CC that HCLU is forced to undertake litigations against two service providers; the problem lies in the current regulation and not with the service providers that retain a huge amount of data to meet their legal duties and not out of their own will, especially since this entails enormous costs. Most probably, service providers are not happy at all with this obligation. At the same time, in contrast with some international examples, none of the service providers contacted in Hungary agreed to submit a joint application at the courts. Mobile and Internet service providers and companies providing online services treat approaches by distinct authorities differently: Electronic Frontier Foundation deals exactly with this issue.